Hi,
I know the issue means the client (or name of the client) is wrong, but I can't figure out why, and I attempt to create it using the commands, keytab looks fine, and I have another server working, but on a previous version. So I'm stuck...
I have tried to raise the log_level to 9 in [sssd] [domain/
example.com] and [domain/
child.example.com], but I have no message in krb5_child.log...
On the machine that works, I can login with
my_user@example.com, on the other I get a client not found in kerberos database, backend offline.
On machine with offline backend I get :
[...]
(Tue Sep 12 14:04:01 2017) [sssd[be[
example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0]
(Tue Sep 12 14:04:01 2017) [sssd[be[
example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Tue Sep 12 14:04:01 2017) [sssd[be[
example.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)
(Tue Sep 12 14:04:01 2017) [sssd[be[
example.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039
(Tue Sep 12 14:04:01 2017) [sssd[be[
example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server '
ad.example.com' as 'not working'
servicePrincipalName RestrictedKrbHost/SERVERNOTOK
servicePrincipalName host/SERVERNOTOK
sssd.conf looks like :
root@servernotok:/var/log/sssd# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level =9
services = nss, pam
enumerate = true
debug_level = 9
id_provider = ad
access_provider = ad
ldap_id_mapping = false
enumerate = true
debug_level = 9
id_provider = ad
access_provider = ad
ldap_id_mapping = false
I have tried to force the ldap_sasl_authidn without it it didn't find any match for
servernotok@EXAMPLE.COM, and I did get the same client not found in kerberos error message.
So I am stuck here, I do not even know if the right behaviour is the one that works or not :-)
Thanks for your help,
Jeremy